[Ietf-http-auth] Goals of this list?

Nicolas Williams Nicolas.Williams at sun.com
Sun Dec 18 22:51:49 PST 2005


On Sun, Dec 18, 2005 at 08:35:58PM -0800, Dick Hardt wrote:
> I have seen a number of different topics go by on this list, and not  
> certain what the goal is. Here are a couple stabs at what I, with my  
> little bitty brain,  have gathered are the potential goals:
> 
> 1) new mechanism for secure credential exchange that addresses the  
> issues with digest mode of basic auth
> 
> 2) ways for authentication mechanisms other than username/password be  
> used to authenticate to a server eg. SAML, SXIP, Infocard/WS-*, Kerberos
> 
> Given the ease of MITM today if TLS is not used, and that someone  
> could easily monitor and hijack a running session, I don't think (1)  
> is possible. (but always keen to learn new things!)

Password based mechanisms can be resistant to MITM attacks, but only if
the password equivalent/verifier held by the server is salted uniquely
and not shared with other servers or if the mechanism is a
proxied-Kerberos type mechanism (think EAP).

> (2) is what I joined the list for.

Me too.

Nico
-- 


More information about the Ietf-http-auth mailing list